Symantec PGP Virtual Disk Problem - Mac OS X 10.7.4 (Lion)

Under PGP Desktop v10.2.0 MP4, PGP Virtual Disks will not mount after upgrade to Mac OS X 10.7.4. This is a known issue. A Symantec PGP discussion thread examines this topic. A procedure that allows the recovery of the contents of an encrypted PGP Virtual Disk, but leaves the contents of in an uncrypted state, is described in:

PGP Desktop v10.2.1 MP1 for Mac OS X was posted on 9-Jul-2012 which solves the problem.

Mac OS X provides an alternate method for creating and using encrypted disk images, which is described below.

Once you have recovered the contents of your PGP Virtual Disk using the procedure described in the link above, the contents can be stored in a new encrypted disk image created with the Mac OS X command-line tool hdiutil as follows:

  1. First create the simplest possible certificate in Keychain Access:
    1. Keychain Access -> Certificate Assistant -> Create A Certificate...
    2. Give the certificate a name (example FooDisk), leave all other options as is (Self Signed Root, S/MIME (Email)) and click Create

  2. Then, find the public key (40 digits, in hex) for this certificate:
    % security find-certificate -c "FooDisk" | \
        grep hpky | awk '{print $1;}' | sed 's/^.*x//'
    The output of the command will look like the following (a 40 digit hex string):
  3. Then, to create (for example) a 1GByte (max) AES-128 encrypted sparse image (a virtual disk image that can expand up to a pre-determined maximum size) using the newly created key, and also a keyboard-entered password, enter the following commands:
    % set NAME="FooDisk"
    % set SIZE="1g"
    % set PUBKEY="70CAF2CD1EC2F631294B32428B27FC16D12B9546" 
    % /usr/bin/hdiutil create \
      -type SPARSE \
      -size ${SIZE} \
      -fs HFS+J \
      -layout GPTSPUD \
      -volname "${NAME}" \
      -nospotlight \
      -encryption \
      -agentpass \
      -pubkey "${PUBKEY}" \
    You will be prompted (twice) to enter a password to open the encrypted disk image.

    hdiutil options explained:
    -type SPARSE
      creates a sparse image, which is expandable, as needed, up to the size indicated by the -size   option.
    -size ${SIZE}
      sets the maximum size of the sparse image.
      Note that the size can be specified as follows: -size ??b|??k|??m|??g|??t|??p|??e   in the style of mkfile(8) with the addition of tera-, peta-, and exa-bytes sizes (note that 'b' specifies a number of sectors, not bytes).
    -fs HFS+J
      makes the format of the Virtual Disk to be Mac OS Extended (Journaled).
    -layout GPTSPUD
      makes the partition map scheme GUID.
    -volname "${NAME}"
      sets the mounted volume name.
      disables Spotlight indexing of the mounted volume.
      causes the sparse image to be encrypted with AES-128.
    -encryption AES-256
     PGP Virtual Disks are encrypted with AES-256. This same level of encryption can be used in this procedure above with this option.
      includes a password to open the encrypted disk image.
      This is a good backup in case the public key for the certificate (in the user's login keychain) isn't available.
    -pubkey "${PUBKEY}"
      uses the 40 digit hex key to encrypt the sparse image.
     This will be the name of the sparse image file (with the extension .sparseimage  added).

  4. Then, to check the newly created disk image and confirm that it is encrypted:
    % hdiutil imageinfo "${NAME}".sparseimage
  5. Then, this new sparseimage can be mounted (by double-clicking on the name in Finder) and files can be stored in the mounted disk image.
This method of storing files in an encrypted disk image appears to have most (perhaps all) of the advantages of the PGP Virtual Disk. See the man page on hdiutil for more information on the various options.
Last updated 12:00:14 PM PDT, Wednesday, July 11, 2012